When does the browser send a CORS preflight (OPTIONS) request, and why?

A preflight is sent before a non-simple cross-origin request: any method other than GET/POST/HEAD, a non-simple Content-Type (e.g. application/json), or custom request headers. The browser sends an OPTIONS carrying Access-Control-Request-Method/-Headers; the server must answer with matching Access-Control-Allow-Methods/-Headers (and -Origin) before the real request is allowed. Simple requests (GET/POST with simple headers + form/text content types) skip it. Preflight gives the server a chance to reject unexpected cross-origin calls — but it is not a CSRF defense (the eventual request still reaches your server).